| Message ID | 20250617123507.2245-1-cedric.hombourger@siemens.com |
|---|---|
| State | Under Review |
| Headers | show |
| Series | rootfs: do not expose /sys/firmware while building root file-systems | expand |
On Tuesday, June 17, 2025 at 6:05:26 PM UTC+5:30 Cedric Hombourger wrote:
We need /sys while assembling the target root file-system but it exposes
more than the build really needs. Some maintainer scripts (e.g. mdmadm)
check /sys/firmware/efi/efivars while configuring themselves. This would
normally be fine but for Isar builds, any information extracted from there
is for the host doing the build and not for the target we are building for.
In addition, packages seeing /sys/firmware/efi will mount efivars there
and will cause do_rootfs_umount to fail unmounting /sys (because of that
extra mount). By mounting a (small) tmpfs as /sys/firmware in the root
file-system, we hide host details from the build; that extra mount needs
to be removed before we attempt to unmount /sys (but we are in control).
Signed-off-by: Cedric Hombourger <cedric.h...@siemens.com>
---
meta/classes/rootfs.bbclass | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index 5f877962..7b7859b9 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -48,6 +48,12 @@ rootfs_do_mounts() {
mount -o bind,private /sys '${ROOTFSDIR}/sys'
mount --make-rslave '${ROOTFSDIR}/sys'
+ # Mount a tmpfs on /sys/firmware to avoid host contamination problems
+ # (maintainer scripts shouldn't pull host data from there)
+ if [ -d '${ROOTFSDIR}/sys/firmware' ]; then
+ mount -t tmpfs -o size=1m,nosuid,nodev none '${ROOTFSDIR}/sys/firmware'
+ fi
+
# Mount isar-apt if the directory does not exist or if it is empty
# This prevents overwriting something that was copied there
if [ ! -e '${ROOTFSDIR}/isar-apt' ] || \
@@ -94,6 +100,9 @@ rootfs_do_umounts() {
if mountpoint -q '${ROOTFSDIR}/proc'; then
umount '${ROOTFSDIR}/proc'
fi
+ if mountpoint -q '${ROOTFSDIR}/sys/firmware'; then
+ umount '${ROOTFSDIR}/sys/firmware'
+ fi
if mountpoint -q '${ROOTFSDIR}/sys'; then
umount '${ROOTFSDIR}/sys'
fi
On Tue, 2025-06-17 at 14:35 +0200, 'Cedric Hombourger' via isar-users wrote: > We need /sys while assembling the target root file-system but it > exposes > more than the build really needs. Some maintainer scripts (e.g. > mdmadm) > check /sys/firmware/efi/efivars while configuring themselves. This > would > normally be fine but for Isar builds, any information extracted from > there > is for the host doing the build and not for the target we are > building for. > In addition, packages seeing /sys/firmware/efi will mount efivars > there > and will cause do_rootfs_umount to fail unmounting /sys (because of > that > extra mount). By mounting a (small) tmpfs as /sys/firmware in the > root > file-system, we hide host details from the build; that extra mount > needs > to be removed before we attempt to unmount /sys (but we are in > control). Good catch! Eventually all these mountpoints should be documented as well. > > Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com> > --- > meta/classes/rootfs.bbclass | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/meta/classes/rootfs.bbclass > b/meta/classes/rootfs.bbclass > index 5f877962..7b7859b9 100644 > --- a/meta/classes/rootfs.bbclass > +++ b/meta/classes/rootfs.bbclass > @@ -48,6 +48,12 @@ rootfs_do_mounts() { > mount -o bind,private /sys '${ROOTFSDIR}/sys' > mount --make-rslave '${ROOTFSDIR}/sys' > > + # Mount a tmpfs on /sys/firmware to avoid host contamination > problems > + # (maintainer scripts shouldn't pull host data from there) > + if [ -d '${ROOTFSDIR}/sys/firmware' ]; then > + mount -t tmpfs -o size=1m,nosuid,nodev none > '${ROOTFSDIR}/sys/firmware' > + fi > + Would bubblewrap help in this case? I'm also wondering if we really should bind-mount the devices from the host or better mknod them in the chroot. Anyways, this discussion should not stop the patch from being merged. Felix > # Mount isar-apt if the directory does not exist or if it is > empty > # This prevents overwriting something that was copied there > if [ ! -e '${ROOTFSDIR}/isar-apt' ] || \ > @@ -94,6 +100,9 @@ rootfs_do_umounts() { > if mountpoint -q '${ROOTFSDIR}/proc'; then > umount '${ROOTFSDIR}/proc' > fi > + if mountpoint -q '${ROOTFSDIR}/sys/firmware'; then > + umount '${ROOTFSDIR}/sys/firmware' > + fi > if mountpoint -q '${ROOTFSDIR}/sys'; then > umount '${ROOTFSDIR}/sys' > fi > -- > 2.39.5
On 17.06.25 14:58, 'MOESSBAUER, Felix' via isar-users wrote: > On Tue, 2025-06-17 at 14:35 +0200, 'Cedric Hombourger' via isar-users > wrote: >> We need /sys while assembling the target root file-system but it >> exposes >> more than the build really needs. Some maintainer scripts (e.g. >> mdmadm) >> check /sys/firmware/efi/efivars while configuring themselves. This >> would >> normally be fine but for Isar builds, any information extracted from >> there >> is for the host doing the build and not for the target we are >> building for. >> In addition, packages seeing /sys/firmware/efi will mount efivars >> there >> and will cause do_rootfs_umount to fail unmounting /sys (because of >> that >> extra mount). By mounting a (small) tmpfs as /sys/firmware in the >> root >> file-system, we hide host details from the build; that extra mount >> needs >> to be removed before we attempt to unmount /sys (but we are in >> control). > > Good catch! Eventually all these mountpoints should be documented as > well. > >> >> Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com> >> --- >> meta/classes/rootfs.bbclass | 9 +++++++++ >> 1 file changed, 9 insertions(+) >> >> diff --git a/meta/classes/rootfs.bbclass >> b/meta/classes/rootfs.bbclass >> index 5f877962..7b7859b9 100644 >> --- a/meta/classes/rootfs.bbclass >> +++ b/meta/classes/rootfs.bbclass >> @@ -48,6 +48,12 @@ rootfs_do_mounts() { >> mount -o bind,private /sys '${ROOTFSDIR}/sys' >> mount --make-rslave '${ROOTFSDIR}/sys' >> >> + # Mount a tmpfs on /sys/firmware to avoid host contamination >> problems >> + # (maintainer scripts shouldn't pull host data from there) >> + if [ -d '${ROOTFSDIR}/sys/firmware' ]; then >> + mount -t tmpfs -o size=1m,nosuid,nodev none >> '${ROOTFSDIR}/sys/firmware' >> + fi >> + > > Would bubblewrap help in this case? I'm also wondering if we really > should bind-mount the devices from the host or better mknod them in the > chroot. > > Anyways, this discussion should not stop the patch from being merged. ...but what should be considered first if such an opt-out list only needs to contain firmware or rather even more folders? Or sub-mounts on sysfs in general? Jan
On Tue, 2025-06-17 at 12:58 +0000, Moessbauer, Felix (FT RPD CED OES- DE) wrote: > On Tue, 2025-06-17 at 14:35 +0200, 'Cedric Hombourger' via isar-users > wrote: > > We need /sys while assembling the target root file-system but it > > exposes > > more than the build really needs. Some maintainer scripts (e.g. > > mdmadm) > > check /sys/firmware/efi/efivars while configuring themselves. This > > would > > normally be fine but for Isar builds, any information extracted > > from > > there > > is for the host doing the build and not for the target we are > > building for. > > In addition, packages seeing /sys/firmware/efi will mount efivars > > there > > and will cause do_rootfs_umount to fail unmounting /sys (because of > > that > > extra mount). By mounting a (small) tmpfs as /sys/firmware in the > > root > > file-system, we hide host details from the build; that extra mount > > needs > > to be removed before we attempt to unmount /sys (but we are in > > control). > > Good catch! Eventually all these mountpoints should be documented as > well. > > > > > Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com> > > --- > > meta/classes/rootfs.bbclass | 9 +++++++++ > > 1 file changed, 9 insertions(+) > > > > diff --git a/meta/classes/rootfs.bbclass > > b/meta/classes/rootfs.bbclass > > index 5f877962..7b7859b9 100644 > > --- a/meta/classes/rootfs.bbclass > > +++ b/meta/classes/rootfs.bbclass > > @@ -48,6 +48,12 @@ rootfs_do_mounts() { > > mount -o bind,private /sys '${ROOTFSDIR}/sys' > > mount --make-rslave '${ROOTFSDIR}/sys' > > > > + # Mount a tmpfs on /sys/firmware to avoid host > > contamination > > problems > > + # (maintainer scripts shouldn't pull host data from there) > > + if [ -d '${ROOTFSDIR}/sys/firmware' ]; then > > + mount -t tmpfs -o size=1m,nosuid,nodev none > > '${ROOTFSDIR}/sys/firmware' > > + fi > > + > > Would bubblewrap help in this case? I'm also wondering if we really > should bind-mount the devices from the host or better mknod them in > the > chroot. bwrap creates a minimal /dev (unless we use --dev-bind AFAICT), it does not mount /proc unless requested (--proc DEST) and happily leaves /sys unmounted (unless we explicitly --bind it from the host) bind-mounting was introduced in 2018 via 768908a33b3e8c375ca24cf59ec61c0a9dfa8661 it was found needed by some packages at least when building them as Felix suggested in [1], we could investigate doing the rootfs construction within a bwrap session and take that chance to revisit bind mounts we do (and document them somewhere so we may also note the why there) Cedric [1] https://lists.isar-build.org/isar-users/20250515150727.1764989-1-cedric.hombourger@siemens.com/T/#m2686bcfd0c11a7fd19f80a12491e3113340a9766 > > Anyways, this discussion should not stop the patch from being merged. > > Felix > > > # Mount isar-apt if the directory does not exist or if it > > is > > empty > > # This prevents overwriting something that was copied > > there > > if [ ! -e '${ROOTFSDIR}/isar-apt' ] || \ > > @@ -94,6 +100,9 @@ rootfs_do_umounts() { > > if mountpoint -q '${ROOTFSDIR}/proc'; then > > umount '${ROOTFSDIR}/proc' > > fi > > + if mountpoint -q '${ROOTFSDIR}/sys/firmware'; then > > + umount '${ROOTFSDIR}/sys/firmware' > > + fi > > if mountpoint -q '${ROOTFSDIR}/sys'; then > > umount '${ROOTFSDIR}/sys' > > fi > > -- > > 2.39.5 > > -- > Siemens AG > Linux Expert Center > Friedrich-Ludwig-Bauer-Str. 3 > 85748 Garching, Germany >
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass index 5f877962..7b7859b9 100644 --- a/meta/classes/rootfs.bbclass +++ b/meta/classes/rootfs.bbclass @@ -48,6 +48,12 @@ rootfs_do_mounts() { mount -o bind,private /sys '${ROOTFSDIR}/sys' mount --make-rslave '${ROOTFSDIR}/sys' + # Mount a tmpfs on /sys/firmware to avoid host contamination problems + # (maintainer scripts shouldn't pull host data from there) + if [ -d '${ROOTFSDIR}/sys/firmware' ]; then + mount -t tmpfs -o size=1m,nosuid,nodev none '${ROOTFSDIR}/sys/firmware' + fi + # Mount isar-apt if the directory does not exist or if it is empty # This prevents overwriting something that was copied there if [ ! -e '${ROOTFSDIR}/isar-apt' ] || \ @@ -94,6 +100,9 @@ rootfs_do_umounts() { if mountpoint -q '${ROOTFSDIR}/proc'; then umount '${ROOTFSDIR}/proc' fi + if mountpoint -q '${ROOTFSDIR}/sys/firmware'; then + umount '${ROOTFSDIR}/sys/firmware' + fi if mountpoint -q '${ROOTFSDIR}/sys'; then umount '${ROOTFSDIR}/sys' fi
We need /sys while assembling the target root file-system but it exposes more than the build really needs. Some maintainer scripts (e.g. mdmadm) check /sys/firmware/efi/efivars while configuring themselves. This would normally be fine but for Isar builds, any information extracted from there is for the host doing the build and not for the target we are building for. In addition, packages seeing /sys/firmware/efi will mount efivars there and will cause do_rootfs_umount to fail unmounting /sys (because of that extra mount). By mounting a (small) tmpfs as /sys/firmware in the root file-system, we hide host details from the build; that extra mount needs to be removed before we attempt to unmount /sys (but we are in control). Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com> --- meta/classes/rootfs.bbclass | 9 +++++++++ 1 file changed, 9 insertions(+)